Tools

Channel Area

Service Product Area

Forum Affairs

How to configure ARP Miss message rate limit on S and E series switches

9

For S and E series switches (except S1700 switches): You can configure the rate limit on ARP Miss messages in one of the following methods as required (supported by the S5720SI/S5720S-SI, S5720EI, S5720HI, S6720EI, and all S series modular switches, but not supported by E series switches):

Other related questions:

An S series switch, except S1700, can limit the rate of ARP packets and ARP Miss messages.
When the switch receives many ARP packets, configure ARP packet rate limiting to prevent CPU overloading.
When the switch receives many IP packets of which the destination IP addresses cannot be resolved, the switch generates a large number of ARP Miss messages, delivers temporary ARP entries and sends may ARP request packets to the destination network. This increases CPU load and consumes bandwidth. To avoid IP packet attacks, configure ARP Miss rate limiting on the switch.

For S series switches (except S1700 switches):
If a host sends an IP packet with an irresolvable destination IP address to attack an S series switch, ARP Miss messages are generated on the device because the device has a route to the destination IP address but has no ARP entry matching the next hop in the route.
The device generates and delivers temporary ARP entries based on ARP Miss messages and sends ARP Request packets to the destination network.

For S series switcheses (except S1700 switches): You can configure the rate limit on ARP packets in one of the following methods as required:
- Limiting the rate on ARP packets based on source MAC addresses (supported by the S5720EI, S5720HI, S6720EI, and all S series modular switches, but not supported by E series switches)
# Set the maximum rate of ARP packets from the specified MAC address 0-0-1 to 50 pps.
[HUAWEI] arp speed-limit source-mac 0-0-1 maximum 50
- Limiting the rate on ARP packets based on source IP addresses
# Set the maximum rate of ARP packets from the specified IP address 10.0.0.1 to 50 pps.
[HUAWEI] arp speed-limit source-ip 10.0.0.1 maximum 50
Limiting the rate on ARP packets globally, in a VLAN, or on an interface
# Configure Layer 2 interface GE0/0/1 to allow 200 ARP packets to pass through in 10 seconds, and to discard all ARP packets in 60 seconds when the number of ARP packets exceeds the limit.
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] arp anti-attack rate-limit enable
[HUAWEI-GigabitEthernet0/0/1] arp anti-attack rate-limit packet 200 interval 10 block-timer 60
- Limiting the rate on ARP packets on a VLANIF interface of a super-VLAN
# Set the maximum rate of broadcasting ARP Request packets on VLANIF interfaces in all super-VLANs to 500 pps.
[HUAWEI] arp speed-limit flood-rate 500

The S series switches, except S1700, use different ARP learning rates:
S series fixed switches:
The default CIR value for ARP request and reply packets is 64. Assume that the packet length is 60 bytes. The ARP learning rate can reach 100 pps. When the CIR value is increased to 500, the rate can reach 200 pps, with the CPU usage lower than 60%.
The rate of ARP learning triggered by ARP Miss packets is lower than 50 pps. The tested rate is 30 pps.
S series modular switches:
A test assumes that the default CPCAR settings (128 kbps for MPU and 64 kbps for LPU) are used, the CPU usage is lower than 50%, and the packet length is 60 bytes. The tested rate of ARP request and reply packets is 100 pps. When the CPCAR values are increased, the rate of received ARP request packets is 1000 pps and the rate of received ARP reply packets is 500 pps.
The rate of ARP learning triggered by ARP Miss packets is lower than 50 pps. The tested rate is 30 pps.

If a router processes a great number of ARP packets at the same time, the CPU may be overloaded and then fails to process other services. Before the processing, set a rate limit for ARP packets on the router to protect CPU resources.
The router supports the rate limit function based on source MAC addresses or source IP addresses of packets, super VLAN, global ARP packets, or ARP packets transmitted over a specified interface.
(1) Configure a rate limit for ARP packets according to a source MAC address.
a. Access the system view, and run the arp speed-limit source-mac maximum command to configure a rate limit for ARP packets according to any source MAC address.
b. Run the arp speed-limit source-mac mac-address maximum command to configure a rate limit for ARP packets for users with a specified MAC address.
If both the configurations are available, when the source MAC address in the ARP packets matches the specified MAC address, the rate limit for the ARP packets is the maximum value of the configuration in step b. Otherwise, the rate limit is the maximum value of the configuration in step a. By default, the router sets the rate limit for ARP packets containing any source MAC address to 0. That is, the router does not limit the rate of ARP packets according to the source MAC address.
(2) Configure a rate limit for ARP packets according to a source IP address.
a. Access the system view, and run the arp speed-limit source-ip maximum command to configure a rate limit for ARP packets according to any source IP address.
b. Run the arp speed-limit source-ip ip-address maximum command to configure a rate limit for ARP packets for users with a specified IP address.
If both the configurations are available, when the source IP address in the ARP packets matches the specified IP address, the rate limit for the ARP packets is the maximum value of the configuration in step b. Otherwise, the rate limit is the maximum value of the configuration in step a. By default, the router allows a maximum of five ARP packets (with the same source IP address) to be released within one second.
(3) Configure a global rate limit for ARP packets and a rate limit for ARP packets transmitted over a specified interface.
Access the system view, and run the interface interface-type interface-number command to access the interface view. Run the arp anti-attack rate-limit enable command to enable the ARP packet rate limit function. (Optional) Run the arp anti-attack rate-limit packet-number [ interval-value ] to configure a rate limit and time of ARP packets. Run the arp anti-attack rate-limit alarm enable command to enable the ARP packet discard alarm function. (Optional) Run the arp anti-attack rate-limit alarm threshold threshold command to configure an ARP packet discard alarm threshold.
(4) Configure a rate limit for ARP packets for the VLANIF interface of a super VLAN.
Access the system view, and run the arp speed-limit flood-rate rate command to configure a broadcast transmission rate limit for ARP request packets under the VLANIF interfaces of all super VLANs.